Next: Parameter generation, Previous: TLS 1.2 Re-authentication, Up: Advanced topics [Contents][Index]
The TLS 1.3 protocol distinguishes between between re-key and re-authentication. The re-key process ensures that fresh keys are supplied to the already negotiated parameters, and on GnuTLS can be initiated using gnutls_session_key_update. The re-key process can be one-way (i.e., the calling party only changes its keys), or two-way where the peer is requested to change keys as well.
The re-authentication process, allows the connected client to switch
identity by presenting a new certificate. Unlike TLS 1.2, the server
is not allowed to change identities. That client re-authentication, or
post-handshake authentication can be initiated only by the server using
gnutls_reauth, and only if a client has advertized support for it.
Both server and client have to explicitly enable support for post handshake
authentication using the GNUTLS_POST_HANDSHAKE_AUTH
flag at gnutls_init.
A client receing an re-authentication request will "see" the error code
GNUTLS_E_REAUTH_REQUEST
at gnutls_record_recv. At this
point, it should also call gnutls_reauth.